TMS320F28377D: security setting example on dual core

Hello everybody, Carlo ask the question because of me.

I need to insert the password to my dual core: very simply I would like to assigne all the resources to Z1 and put a simple pswd in such a way to have access to everything internally, but externally not (not be able to reprogram with C2Prog or CCS except when I provide the right psw).

I attached A project wich basically blocked my DSP: there is a ReadMe file inside where there is described the solution I use to insert the PSW and the problem I found. I need a solution an How to

1) Insert Pswd in the right way in the code

2) Connect with the right Psw using CCS

3) Reprogram the DSP using C2Prog

Thank you,

Andrea Marcianesi.

Andrea,

On dual core device, both CPU have Z1 and Z1. Do you need to secure Z1 on only CPU1 or both CPU (CPU1 as well as CPU2) ?

Regards

Vivek Singh

HI Vivek ,
they need both .
regards
Carlo

Hi,

After reading the ReadMe file, I understand that you are not able to connect to CCS after programming the passwords. This is expected. Once passwords are programmed, you can not connect to CCS with boot to flash option. This is clearly mention in the device TRM section "2.13.1.1 Emulation Code Security Logic (ECSL)". We have following note in this section -

"When initially debugging a device with the password locations in OTP programmed (secured), the
emulator takes some time to take control of the CPU. During this time, the CPU will start running and may
execute an instruction that performs an access to a protected ECSL area and ifthe CPU is halted when
the program counter (PC) is pointing to a secure location, the ECSL will trip and cause the emulator
connection to be broken.
The solution to this problem is:
• Use the Wait Boot Mode boot option. In this mode, the CPU will be in a loop and hence will not jump to
the user application code. Using this BOOTMODE, the user can connect to CCS and debug the code. "

Please change the BOOTMODE pin setting to Wait Boot or any other Boot mode (which is not used) and reset the device. Now you should be able to connect to device and then unlock the device by providing correct password in flash plug-in GUI.

Let me know if you still face the issue.

Regards,

Vivek Singh

Good Morning Vivek,
first of all thank you very much for your answer.
I Try to force GPIO84=0 and GPIO72=1 (Wait Mode), and now I'm able to connect to the DSP again. So your answer were right for the BlackHawk Part.
I thought that when the debugger was present, the wait mode was the default BOOTMODE. My fault.
Now, for production, I would like to reprogram the DSP, using C2PROG, with serial communication. For this reason in this case I put GPIO84=1 and GPIO72=0 (SCI Boot Mode). If you read the ReadMe file, you can see that although the C2PROG gives the possibility to insert the Psw, C2PROG fails to reprogram CPu1.
How can I make C2PROG working?

Good Morning Codeskin,

in my DSP, I only secured CPU1, assigning everything to z1 zone.

In the codeskin GUI there is only the possibility to insert 4 characthers and no numbers like 0xFFF because are 6 characters.

Yes I'm sure to have typed the right Psw, but is not working the unlocking. BTW, I attached the project and if you have a test board with a dual core, you can try by yourself. For us this is a big issue.

I try also to put all 0s in all Keys and actually worked, the interface Unlock the DSP: now this is very very strange, because the Dcsm is actually secured, so how can be possible this? There is the popssibility to unlock all the dual core just inserting all zeros in the key field? Can you explain to me how it works? I'm not sure it program the DSP, but at least the C2PROG confirme the unlock, erase program.

I need clearly to make working all the process with the right psw, and lock the DSP with all 0.

Thank you.

Hello Codeskin,
the password I programmed for the Z1 zone is the following
DcsmZ1Regs.Z1_CSMKEY0 = 0xFFFFFFFE;
DcsmZ1Regs.Z1_CSMKEY1 = 0xFFFFFFFF;
DcsmZ1Regs.Z1_CSMKEY2 = 0xFFFFFFFF;
DcsmZ1Regs.Z1_CSMKEY3 = 0xFFFFFFFF;

so, I the psw I think I should use is
Key1=FFFE
Key2=FFFF
Key3=FFFF
Key4=FFFF
Key5=FFFF
Key6=FFFF
Key7=FFFF
Key8=FFFF

Instead, the psw which work was
Key1=FFFF
Key2=FFFE
Key3=FFFF
Key4=FFFF
Key5=FFFF
Key6=FFFF
Key7=FFFF
Key8=FFFF

So it is possible that Key2 is the less significant word (16bit) of Z1_CSMKEY0 ?

Hello Andrea - yes this is correct: most significant word first, least significant second.

The reason for why C2Prog was able to unlock the CSM when you entered the special key of all zeroes is because you have not yet activated the password lock (PSWDLOCK location in OTP) and therefore the C2Prog kernel is able to read the keys (see section 2.13.1.4 in spruhm8g).

OK, codeskin,
Then also C2Prog is working.

I understood the case of the psw locking, so now, if I lock the psw, I should be able to enter only with the right psw, not all 0, is that right? I will try and let you know.

Finally, when you say "that C2Prog currently only supports Z1 of the DCSM, you mean on both CPU or only for CPU1? When will be ready the support for z2 zone ?

Thank you very much for your answer Codeskin.

Regards,
Andrea Marcianesi.

Andrea,

I understood the case of the psw locking, so now, if I lock the psw, I should be able to enter only with the right psw, not all 0, is that right? I will try and let you know.

This is in actual hardware so yes, once you program the PSWDLOCK field, Codeskin will not be able to read the password values from device hence entering password value as ALL 0x0 will not work.

Regards,

Vivek Singh

Good Morning Vivek,

One more help please.

I try to lock the password programming the default values of the structure DcsmZ1Otp in this way

#define DCSM_Z1_OTP_DEFAULTS {    

0xFFFFFFFE,       \ Z1OTP_LINKPOINTER1

0xFFFF,           \

0xFFFF,           \

0xFFFFFFFE,       \ Z1OTP_LINKPOINTER2

0xFFFF,           \

0xFFFF,           \

0xFFFFFFFE,       \ Z1OTP_LINKPOINTER3:

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFFFFFE,       \ Z1OTP_PSWDLOCK: To lock the psw I pu somenthing different from all 0s

0xFFFF,           \

0xFFFF,           \

0xFFFFFFFF,       \ Z1OTP_CRCLOCK

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFF,           \

0xFFFFFFFF  }     \ Z1OTP_BOOTCTRL

I did not touch anything else, but now my DSP is not running nothing: the led did not flash anymore, The C2PROG is not able to Autodetect the DSP so even the serial communication failed.

It seems that the DSP is not doing nothing.

On the contrary, with the black Hack I was able to connect to the DSP, using the same psw as before, but then the CPU stuck in a while. 

All this behaviour just changing 1 bit  of the PSWLOCK in OTP: from0xFFFFFFFF,  to 0xFFFFFFFE

Have you some idea?

Thank you for your answer

Andrea Marcianesi.

Andrea, Changing only PSWDLOCK value should not cause any issue to existing code. It only prevents access to password location. Have you tried the WAIT boot mode?

Vivek Singh

Good Morning Vivek,

The problem is not that I'm not able to connect with the debugger: if I put the DSP in wait Boot Mode (GPIO72=1, GPIO84=0), the debugger is able to connect and program the DSP. The problem is that when I unplug the debugger, and supply the DSP normally, the DSP is blocked. I think that this is because the CPU1, is waiting for the CPU2. So it seems that locking the password, has something to do with Inter Processor communication.

You have my code example, you can try by yourself: In the example, I have 2 led in CPU1 (GPIO66, GPIO67) and one in CPU2 (GPIO68). The only change you have to do is the word from 0xFFFFFFFF to 0xFFFFFFFE in the #define DCSM_Z1_OTP_DEFAULTS in F2837xD_dcsm.h file.

The strange thing is that when I put the DSP in SCI Boot (GPIO72=0, GPIO84=1), the C2PROG is not able to connect to the DSP because fail to autodetect during the serial communication: in practice C2 prog is not able to communicate with the DSP (the unlocking phase should follow this phase, but C2PROG fail before the iunlocking phase).

Thank you very much for your help.

Andrea MArcianesi.

Andrea,

Vivek is not available now. I will ask him to take a look at your reply when available.

Can you check if you have modified the BOOTCTRL accidentally?

Thanks and regards,
Vamsi

Andrea,

Sorry, I am on travel hence can not try the example you sent. As I mentioned earlier, PSWDLOCK bit only affect the visibility of password locations in OTP hence should not impact the execution. Can you send us the snapshot of the DCSM_Z1_OTP and Zone_Select_Block locations from CCS memory watch window? You can unlock the device and then open the applicable memory range and CCS memory watch window and send the snapshot.

Vivek Singh

Good Morning Vivek and have a good trip!

Here is the picture you ask me.

Thank you for your help.

Regards,

Andrea Marcianesi.

Andrea,

Another question: Did you secure CPU2 as well?

Thanks and regards,
Vamsi

Hi Vamsi,
first of all thank you for your help.

Let's answer in order:
1) Looks like you shared a project with Vivek. Can you send it to me so that I can try?
Unfortunately, I had to remove the example project, but I will give you an example as soon as possible.

2) As per the snapshot that you provided, I see that only Sector A to Sector G are assigned to Zone 1 and rest are not secured. Is this intentional? I am asking since you mentioned that you want to assign all the resources to Zone 1.
Yes, this is wanted because actually my project is for a F28374D which has only Sectors A to G.

3) Do you have any code in unsecured Flash that is trying to access secure Flash or RAM? Please check.

Yes, I have code which is running from GSxRAM: the example is a bootloader and the API Flash Write function are running from this block, for example. This should not be a problem because in the main, the istructions are the following

void main(void)
{
u16 i;
unsigned char u16_CheckBuffer[32];
u16 u16_CheckBuffer2[32];
u16 u16_Tmp1;

InitSysCtrl();
DCSM_DcsmInit();
CsmUnlock();
….
With
Uint16 CsmUnlock()
{
volatile Uint16 temp;

// Load the key registers with the current password. The 0xFFFF's are dummy
// passwords. User should replace them with the correct password for the DSP.

EALLOW;
DcsmZ1Regs.Z1_CSMKEY0 = 0xFFFFFFFE;
DcsmZ1Regs.Z1_CSMKEY1 = 0xFFFFFFFF;
DcsmZ1Regs.Z1_CSMKEY2 = 0xFFFFFFFF;
DcsmZ1Regs.Z1_CSMKEY3 = 0xFFFFFFFF;
EDIS;
return 0;

}
So all secured flash should be unsecured before doing somenthing.

4) Can you confirm that the only thing that is changed from working to not-working project is the 1 bit flip in PSWDLOCK? Did you try it again in that sequence: 0xFFFFFFFF should work and then only one change 0xFFFFFFFE does not work?
Yes, I can confirm this.

5) Did you secure CPU2 as well?
No, The CPU2 has all the resources unsecured.

As soon as possible, I will provide to you, my example.
Regards,
Andrea Marcianesi

Andrea,

#1:  Ok, I will wait for the example.

New question:  Did the application succeed in standalone (without debugger) mode before the password lock is programmed?

Thanks and regards,

Vamsi

Hello Vamsi,
excuse me for the delay, but I tried between several other tasks, so I was a bit late. Anyway, I did exactly what you suggested, more exactly
I split the structure

/*struct DCSM_Z1_OTP {
Uint32 Z1OTP_LINKPOINTER1
Uint16 rsvd1[2];
Uint32 Z1OTP_LINKPOINTER2;
Uint16 rsvd2[2];
Uint32 Z1OTP_LINKPOINTER3;
Uint16 rsvd3[6];
Uint32 Z1OTP_PSWDLOCK;
Uint16 rsvd4[2];
Uint32 Z1OTP_CRCLOCK;
Uint16 rsvd5[8];
Uint32 Z1OTP_BOOTCTRL;
};*/
In the followings:
struct DCSM_Z1_OTP_LINKPOINTERS {
Uint32 Z1OTP_LINKPOINTER1;
Uint16 rsvd1[2];
Uint32 Z1OTP_LINKPOINTER2;
Uint16 rsvd2[2];
Uint32 Z1OTP_LINKPOINTER3;
Uint16 rsvd3[2];
};

struct DCSM_Z1_OTP_PSWLOCK {
Uint32 Z1OTP_PSWDLOCK;
Uint16 rsvd[2];

struct DCSM_Z1_OTP_CRCLOCK {
Uint32 Z1OTP_CRCLOCK;
Uint16 rsvd[2];

struct DCSM_Z1_OTP_BOOTCTRL {
Uint16 rsvd[2];
Uint32 bZ1OTP_BOOTCTRL;
};

The same I did for Z2 Zone, only for CPU1, because I did not lock CPU2.

I prepared the default structures for Z1-POINTERS and PSWLOCK as follow
#define DCSM_Z1_OTP_LINKPOINTERS_DEFAULTS {
0xFFFFFFFE, \
0xFFFF, \
0xFFFF, \
0xFFFFFFFE, \
0xFFFF, \
0xFFFF, \
0xFFFFFFFE, \
0xFFFF, \
0xFFFF }



#define DCSM_Z1_OTP_PSWLOCK_DEFAULTS {
0xFFFFFFFE, \
0xFFFF, \
0xFFFF }

In the “F2837xD_Headers_nonBIOS_cpu1.cmd” file, I made these changes,
/*DCSM_Z1_OTP : origin = 0x078000, length = 0x000020 /* Part of Z1 OTP. LinkPointer/JTAG lock/ Boot Mode */
DCSM_OTP_Z1_LINKPOINTER : origin = 0x78000, length = 0x00000C
/* Z1 OTP. PSWDLOCK/RESERVED */
DCSM_OTP_Z1_PSWDLOCK : origin = 0x78010, length = 0x000004
/* Z1 OTP. CRCLOCK/RESERVED */
DCSM_OTP_Z1_CRCLOCK : origin = 0x78014, length = 0x000004
/* Z1 OTP. RESERVED/BOOTCTRL */
DCSM_OTP_Z1_BOOTCTRL : origin = 0x7801C, length = 0x000004


/* DCSM Z1 Zone Select Contents (!!Movable!!) */
/* Z1 OTP. Z1 password locations / Flash and RAM partitioning */
DCSM_ZSEL_Z1_P0 : origin = 0x78030, length = 0x000010

/*DCSM_Z2_OTP : origin = 0x078200, length = 0x000020 /* Part of Z2 OTP. LinkPointer/JTAG lock */
DCSM_OTP_Z2_LINKPOINTER : origin = 0x78200, length = 0x00000C
/* Z2 OTP. GPREG1/GPREG2 */
DCSM_OTP_Z2_GPREG : origin = 0x7820C, length = 0x000004
/* Z2 OTP. PSWDLOCK/RESERVED */
DCSM_OTP_Z2_PSWDLOCK : origin = 0x78210, length = 0x000004
/* Z2 OTP. CRCLOCK/RESERVED */
DCSM_OTP_Z2_CRCLOCK : origin = 0x78214, length = 0x000004
/* Z2 OTP. GPREG3/BOOTCTRL */
DCSM_OTP_Z2_BOOTCTRL : origin = 0x7821C, length = 0x000004

/* DCSM Z2 Zone Select Contents (!!Movable!!) */
DCSM_ZSEL_Z2_P0 : origin = 0x78220, length = 0x000010

….

/*** Warning: Only remove "Type = NOLOAD" to program OTP Locations ***/
/*DcsmZ1OtpFile : > DCSM_Z1_OTP, PAGE = 1*/
DcsmZ1OtpLinkPointers : > DCSM_OTP_Z1_LINKPOINTER, PAGE = 1
DcsmZ1OtpPswLock : > DCSM_OTP_Z1_PSWDLOCK, PAGE = 1
DcsmZ1OtpCrcLock : > DCSM_OTP_Z1_CRCLOCK, PAGE = 1, type = NOLOAD
DcsmZ1OtpBootCtrl : > DCSM_OTP_Z1_BOOTCTRL, PAGE = 1, type = NOLOAD

DcsmZselZ1File : > DCSM_ZSEL_Z1_P0 PAGE = 1
/*DcsmZ2OtpFile : > DCSM_Z2_OTP, PAGE = 1, type = NOLOAD*/
DcsmZ2OtpLinkPointers : > DCSM_OTP_Z2_LINKPOINTER, PAGE = 1, type = NOLOAD
DcsmZ2OtpPswLock : > DCSM_OTP_Z2_PSWDLOCK, PAGE = 1, type = NOLOAD
DcsmZ2OtpCrcLock : > DCSM_OTP_Z2_CRCLOCK, PAGE = 1, type = NOLOAD
DcsmZ2OtpBootCtrl : > DCSM_OTP_Z2_BOOTCTRL, PAGE = 1, type = NOLOAD
DcsmZselZ2File : > DCSM_ZSEL_Z2_P0 PAGE = 1, type = NOLOAD

And in F2837xD_GlobalVariableDefs.c I made these changes
//----------------------------------------
/*#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ1OtpFile")
#else
#pragma DATA_SECTION(DcsmZ1Otp,"DcsmZ1OtpFile");
#endif
const struct DCSM_Z1_OTP DcsmZ1Otp = DCSM_Z1_OTP_DEFAULTS;*/

//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ1OtpLinkPointers")
#else
#pragma DATA_SECTION(DcsmZ1OtpLnkPnt,"DcsmZ1OtpLinkPointers");
#endif
const struct DCSM_Z1_OTP_LINKPOINTERS DcsmZ1OtpLnkPnt = DCSM_Z1_OTP_LINKPOINTERS_DEFAULTS;
//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ1OtpPswLock")
#else
#pragma DATA_SECTION(DcsmZ1OtpPswLk,"DcsmZ1OtpPswLock");
#endif
const struct DCSM_Z1_OTP_PSWLOCK DcsmZ1OtpPswLk = DCSM_Z1_OTP_PSWLOCK_DEFAULTS;
//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ1OtpCrcLock")
#else
#pragma DATA_SECTION(DcsmZ1OtpCrcLk,"DcsmZ1OtpCrcLock");
#endif
struct DCSM_Z1_OTP_CRCLOCK DcsmZ1OtpCrcLk;
//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ1OtpBootCtrl")
#else
#pragma DATA_SECTION(DcsmZ1OtpBtCtrl,"DcsmZ1OtpBootCtrl");
#endif
struct DCSM_Z1_OTP_BOOTCTRL DcsmZ1OtpBtCtrl;
//----------------------------------------
/*#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ2OtpFile")
#else
#pragma DATA_SECTION(DcsmZ2Otp,"DcsmZ2OtpFile");
#endif
volatile struct DCSM_Z2_OTP DcsmZ2Otp;*/
//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ2OtpLinkPointers")
#else
#pragma DATA_SECTION(DcsmZ2OtpLnkPnt,"DcsmZ2OtpLinkPointers");
#endif
struct DCSM_Z2_OTP_LINKPOINTERS DcsmZ2OtpLnkPnt;
//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ2OtpPswLock")
#else
#pragma DATA_SECTION(DcsmZ2OtpPswLk,"DcsmZ2OtpPswLock");
#endif
struct DCSM_Z2_OTP_PSWLOCK DcsmZ2OtpPswLk;
//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ2OtpCrcLock")
#else
#pragma DATA_SECTION(DcsmZ2OtpCrcLk,"DcsmZ2OtpCrcLock");
#endif
struct DCSM_Z2_OTP_CRCLOCK DcsmZ2OtpCrcLk;
//----------------------------------------
#ifdef __cplusplus
#pragma DATA_SECTION("DcsmZ2OtpBootCtrl")
#else
#pragma DATA_SECTION(DcsmZ2OtpBtCtrl,"DcsmZ2OtpBootCtrl");
#endif
struct DCSM_Z2_OTP_BOOTCTRL DcsmZ2OtpBtCtrl;

Now all works flawless. But now some questions arise:

1) From a “C” language point of view, doing this way or doing like before is the same, so I don’t understand what changes from this way to the other. Moreover I did not understand very well what happen when you say “I think ECC is not getting programmed for the PSWDLOCK location and is causing an ECC error. When tools get to program below structures, they first find the link pointer address and hence they skip programming ECC for the entire structure”. The ECC is basically the parity checker for the memory, by is activated by default? If yes It gives a NMI? How I can set the software in such a way that I can understand that there was an ECC Error (The ECC automatically changes data provided to the CPU but not in Flash, that’s why The Flash memory reader shown the PSWLOCK address correctly programmed to 1):
2) The same method could be applied to the CPU2 to secure it ?
3) Unsecuring at the beginning of the main with the function CsmUnlock(); is safe or not? I mean our goal is to protect the flash code, so we would like to
1) avoid to connect to the DSP and read the flash, using external communication, but in our protocols there are not Flash read commands.
2) Avoid to connect with a debugger, unless you know the password
3) Avoid to download or reprogram the DSP, using some boot mode, unless you know the password.
That’s why I ask.

Thank you Vamsi for your help, was very important for us.

Regards,
Andrea Marcianesi.

Good morning Vamsi,

ok, I will read the ECC module in the manual and I will enable the NMI in such a way to manage these kind of event.

Thankyou very much

Andrea Marcianesi.